A Community Emergency Response Team (CERT) advisory released Tuesday confirmed that Microsoft’s email systems are vulnerable to a spoofing flaw that allows authenticated users to impersonate others. The flaw could impact millions of Microsoft 365 customers worldwide.
A workaround fix is available, according to CERT, that would add additional layers of email filtering – preventing spoofing.
The issue, disclosed under VU#517845, stems from ambiguous “From” header syntax in email standards that can be abused to bypass authentication checks. While protocols like SPF, DKIM, and DMARC are designed to verify sender legitimacy, this weakness exposes how even verified messages can be manipulated by an adversary to look like they came from someone else.
How Big Is the Exposure?
Microsoft was listed as “affected” in CERT’s disclosure, with notification dating back to June. Given Microsoft 365’s footprint, with more than 300 million active seats globally, the number of impacted customers could number in the hundreds of thousands to millions of potentially spoofable accounts.
56 Vendors Named, One Confirmed Impacted
The CERT advisory lists 56 vendors it has notified of the flaw. Microsoft is the only vendor confirmed as affected. Seven vendors — including Cisco, FastMail, and Siemens — are confirmed not affected. The remaining vendors, among them Google, Apple, Yahoo, GoDaddy, and Proton, are listed as unknown or unresponsive at the time of publication.
“We plan to update this as we approach the new disclosure date with links to documents after we have implemented planned changes,” Google said in a statement to CERT.
What’s Actually Happening
Researchers found that attackers can insert multiple email addresses into the From: field in a way that confuses how mail clients interpret the sender’s identity.
Example:
From:
Most clients display only the last address — ceo@company.com — while still passing SPF, DKIM, and DMARC validation. The result is a message that looks genuine and authenticates as such, even though it was sent by an attacker.
This method builds on previous research into SMTP Smuggling and RFC 5322 header abuse, but now shifts the spotlight to mainstream providers like Microsoft, Google, and Apple. While Cisco and Fastmail reported they were not affected, others have yet to provide detailed statements or patches.
Why It Matters to Practitioners
For defenders, this breaks the assumed trust model of modern email authentication. If an attacker with valid SMTP credentials — a compromised account, mail relay, or even an approved app — can spoof another user within the same domain, traditional anti-phishing controls may not flag it.
In short, authenticated doesn’t mean genuine.
That’s particularly problematic for enterprises using automated senders or service accounts that rely on SMTP relay authentication — common in Microsoft 365 and hybrid environments.
Mitigation and Next Steps
CERT recommends that mail providers and admins verify outgoing email headers before signing or relaying messages. Updated versions of Milterfrom version 1.0.4 include fixes that enforce tighter validation between envelope senders and header fields.
For Microsoft 365 administrators:
- Audit all authenticated senders and app connectors.
- Enforce “From address rewriting” or strict sender alignment where possible.
- Quarantine messages with multiple From: entries or ambiguous headers.
- Re-evaluate any automation scripts or third-party integrations that send mail on behalf of users.
End Users Stay Vigilant
Even if a message appears internal, check the full message headers before acting on sensitive requests. Phishing awareness training should now explicitly include “trusted-sender” scenarios that abuse legitimate infrastructure.
The Bigger Picture
The flaw highlights a persistent truth in email security: trust remains an illusion layered atop a decades-old protocol never designed for authentication. SPF, DKIM, and DMARC improve deliverability and reputation scoring — but they don’t guarantee identity.
As this Microsoft case shows, attackers can weaponize even compliant messages. Vigilance and layered defenses remain best practices and safeguards.
